-
-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
REVIEW: Fix for bypass in Firefox thanks to a newly discovered mXSS #94
Comments
If it's a breaking change, that means this should be a 1.0.0 release (semver-major). And the reason for it should be documented. What browsers could break by switching from |
It might be a breaking change but I hope it's not, hence my review request :) So far it looks like it's not - but I cannot judge that on my own. |
If all the browser tests are green, it seems to work … I'm sorry, but at some point you lost me with all the DOM voodoo going on. I must admit, I'm not that much into that particular topic to be of much help here. (Especially after exclusively working on the server side the last 14+ months.) ;) |
Aye, okay :) Are the code conventions all met? If so, I'd merge and prepare a release. |
s/@freddyb/@mozfreddyb ;-) |
LGTM |
Thx. I am preparing the 0.6.7 release now. |
So, what was the bypass? |
It was documented along with the release: https://github.com/cure53/DOMPurify/releases/tag/0.6.7
|
I think it was mentioned in the release notes, here's the issue discussed in Bugzilla: |
@mozfreddyb "discussed" :) The issue is still existing, FF is still unreliable and delivers broken innerHTML. |
Seems like a spec problem to me. shrugs |
Nope, it's a Firefox problem :) FF doesn't properly handle innerHTML in the SVG context. Even MSIE does it right :P |
Hi @neilj and @fhemberger!
Today I ran into a mXSS issue on latest Gecko that causes a bypass under certain conditions. The problem is, that Firefox shows different behavior for
innerHTML
interaction than any other browser when doing that in an SVG context. I talked to @freddyb of Mozilla and we developed a fix.The mXSS bug in Firefox causes a bypass when the sanitized HTML is later not being applied with
innerHTML
but withdocument.write()
or alike. From a security standpoint, I find this to be close to critical. The cause for this issue is a parser behavior change in Gecko when dealing with HTML elements inside inline SVG documents. I will publish the attack vector after the fix has been reviewed (contact me offline for a PoC).This fix might however be breaking so I'd love to hear your opinion. The tests are green and things look okay - but better to have that one triple-checked:
Changeset
https://github.com/cure53/DOMPurify/compare/DOMParser?expand=1
Test Results
https://travis-ci.org/cure53/DOMPurify/builds/80807894
Opinions are welcome!
Cheers,
.mario
The text was updated successfully, but these errors were encountered: